CVE-2026-39705

Vulnerability

Overview The MIPL WC Multisite Sync plugin for WordPress (versions up to and including 1.4.4) contains a missing authorization vulnerability. The plugin fails to properly verify access control security levels, meaning that certain functions intended for privileged users can be executed without proper authentication or capability checks [1].

Exploitation

This broken access control issue allows an unauthenticated attacker to exploit incorrectly configured access control checks. Because the plugin does not validate that the current user has the necessary permissions before performing sensitive operations, a remote attacker can trigger high-privileged actions without any prior authentication [1]. The attack surface is the WordPress plugin's API endpoints or AJAX handlers that lack capability or nonce verification.

Impact

An attacker exploiting this vulnerability can perform actions normally restricted to administrators or shop managers, such as modifying multisite synchronisation settings or accessing sensitive data. This can lead to unauthorized changes across the WordPress multisite network, potentially compromising the integrity and security of all connected sites [1].

Mitigation

The vendor has addressed the issue in a patched version (1.4.5 or later). Users are strongly advised to update the plugin immediately. For sites that cannot be updated, temporary measures include restricting network access to the plugin's endpoints or seeking assistance from a hosting provider or web developer [1]. The vulnerability has a CVSS v3 base score of 5.3 (Medium).